Cyber security: The real risks to your data
29th September 2016
There’s a lot of hype around data hackers, but there’s a much bigger cyber security risk you should be focusing on.
Many organisations are worried about external threats; 84% of health professionals surveyed by the RCNi said they feared cyber-attacks were going to get worse.
Recent headlines include malicious hackers selling hundreds of millions of Yahoo account details on the dark web and vulnerabilities found in internet of Things (IoT) devices like smart locks and wheelchairs.
Hackers have already found ways of accessing the information on devices running the latest internet operating system, iOS 10 just weeks after it was first released.
Of course, the danger is real and needs to be taken seriously. But concentrating on external threats can mean overlooking a greater risk closer to home.
What are the real threats?
The annual Data Breach Investigations Report by Verizon is the most detailed analysis of real life cyber security breaches. Each year, they analyse thousands of real incidents when preparing their report.
Their research reveals that people are the biggest vulnerability for any organisation, with various attack strategies taking advantage of an employee’s lack of knowledge in data security.
Different industries experience different patterns of attack, as shown in this table.
Passwords are the most common form of security for your web accounts and data. Having a strong, unique password is one of the most important things an individual can do to keep their accounts secure.
If your email password is compromised it’s often possible to access other accounts, either using the same details if the password is re-used, or by resetting the passwords on the other accounts using the email account.
Whichever route an attacker takes to access sensitive data there’s always a password involved at some stage. If it’s a strong password, they are less likely successfully get to the data.
- 63% of confirmed data breaches leverage a weak or stolen password
Using easy to guess passwords is a big issue for business systems. When a password is used for multiple accounts it becomes even more of a potential threat.
However tough your password is for a machine to guess, there are ways to capture the information if your employees aren’t trained to spot them.
The average business email user receives 90 emails a day. Even with email filters in place, your employees are likely to receive several phishing emails a week.
Once an attacker has captured credentials through phishing, or simply purchasing them on line from other hacker groups, they can use them to access secure data.
Phishing is the practice of sending malicious emails that look genuine and encourage a user to visit a link or click on an attachment. The action most often triggers the installation of malware that can steal information or log the user’s actions.
- 30% of phishing emails were opened, up from 23% the previous year
- 12% of phishing email recipients click on attachments
- 3% of targeted individuals report phishing attempts to management
Phishing attacks are still growing and becoming more sophisticated as people become familiar with the traditional patterns.
One of the most common ways data falls into the wrong hands is through an error by an employee.
The main errors attributable to employees are:
- Capacity shortage: Heavy but legitimate traffic takes down a site or service
- Misdelivery: Sending data to the wrong person
- Publishing error: Making sensitive data publicly available
- Misconfiguration: Accidentally giving people access to sensitive data
- Disposal error: Not deleting or disposing of data securely
Capacity shortage and misconfiguration are generally limited to IT departments, but the other factors are important for all employees.
Errors like these are avoidable and training can play a big part in reducing the impact they have on your organisation’s data security.
What can you do?
All of the most common ways your data is put at risk can be tackled with training.
Letting employees know how important their role is in cyber security should be a priority of the training. Increasing confidence when dealing with the different aspects of personal data security will result in a workforce who are better able to deal with new threats.
- Engage your learners
It’s easy for mandatory compliance training to become a boring experience for your learners. Make your cyber security training interesting and reap the rewards of more secure data.
- Keep up to date and consistent
Cyber criminals are often opportunists and if an attacker doesn’t find an easy way in they will move on to a weaker target. Getting the message out consistently to all your employees is key to good cyber security.
The Data Breach Report highlights many situations where one attack compromises an account which is then used to attack a colleague or business partner from a trusted source.
Making sure everyone is able to identify a phishing email and understands good password security can cut out the majority of attacks.
- Have conversations
Starting a conversation amongst your colleagues about data security can highlight best practices and any potential issues before they become an issue.
- Make reporting easy
Once you have the training your employees can identify a threat or vulnerability, make it easy for them to report it.
The process should be simple and accessible for all, the more you know about the potential threats to your data the more you can protect against them.
When you have a record of the common issues that your employees are facing you will be able to plan an effective strategy to prevent them in the future.
Create an online learning programme that engages your learners and gives them the knowledge and confidence to take control of your company’s data security.
Sponge work with organisations to create programmes that effectively minimise the risk and prepare for the consequences of a data breach.
Join us for a webinar exploring some of the ways we’re helping organisations secure their data with innovative learning solutions.